are you working on them? cyber security measures · 2018-11-21 · re you working on them? yber...

Are you working on them? Cyber security measures

the benefits that these expenditures may have on a company in the form of direct profits gained as a result. Nonetheless, if personal or technical information leaks, or if control systems of a plant are damaged, irreparable damage could occur, and if IoT devices in the field of automated driving or medical care are compromised, the result may be literally fatal. So the utilization of IT and comparable security measures should be considered as two sides of the same coin.Therefore, in order to answer the question of where to begin in terms of cyber-security measures, METI and other organizations are planning to formulate and announce two sets of guidelines. One is “Cybersecurity Management Guidelines,” which is a compilation of the points that business

managers should be aware of. Another is the “IoT Security Guidelines,” which encourages those who work with cyber systems and IoT devices, including users, to be aware of necessary measures.From the next page onward, we will introduce some actual examples of cyber security measures and countermeasures against cyber-attacks including those referred to in the two sets of Guidelines. Based on this latest information please consider reinforcing your security measures for the future.

“I know that cyber security measures are important, but I don’t know

where to begin.” There are surely many people in this position. However, the fact is that the number of cyber-attack cases is on the rise. Targeted attacks, aimed at certain companies and organizations, are becoming commonplace and it can happen to you too.Moreover, recently, the development of the IoT, where various systems and devices themselves are connected to the Internet, caused insidious damage to systems that are difficult for the public to easily understand. Neither companies nor individuals can ignore this risk.Regardless of the amount spent on cyber security measures, in the vast majority of cases it is difficult to quantify

Cyber security measures

Are you working on them?

IT devices and the Internet are already indispensable every day in people’s lives and business.

However, risks and dangers are inextricably linked to the convenience we take for granted.

It’s sensible to employ cyber security measures before you or your company suffer damage!

04 05METI JournalMETI Journal


Ironclad security measuresHow should we respond to the increasing threat of cyber-attack? We asked Professor Ryoichi Sasaki of Tokyo Denki University, who played a central role in formulating the government guidelines.

Recently, cyber-crime is becoming more and more vicious. Around the beginning of 2000, when the website of the Science and Technology Agency was altered during an unauthorized access and hacking captured the public’s attention, most of the attacks were hackers attacking websites randomly for fun. However, since around 2010 when there was a cyber-attack on a nuclear fuel facility in Iran, there has been an increase in targeted attacks aimed at important companies and infrastructure either for economic benefit or ordered by national governments.Attack strategies are also becoming more and more sophisticated, for instance, multiple e-mails are sent containing information that may attract the interest of the target company’s employees, and if the file is opened by any of these employees, the damage spreads to every computer in the company that is connected to the network. Moreover, in addition to the conventional theft of confidential information, some hacks cause the computer systems of the organization to malfunction by altering data after which the hackers can demand ransom in exchange for restoring the damaged system to its original state. The criminal methodologies and damage are both increasing.Because cyber-crime is relatively cheap and hard to trace, it is considered “a crime that pays,” and the number of coordinated criminal incidents is increasing. It is expected that attacks will continue to increase in severity in the future.

Because the return on investment for investing in cyber security measures is hard to see, companies have not been taking appropriately advanced measures to combat the problem. However, in cases where companies are the victims of an actual leak of confidential information, the impact has been enormous, including billions to tens of billions of yen spent in rectifying the problem, in addition to damage to the brand. Thus, it is important that business managers personally recognize risks and commit themselves to taking countermeasures.

For example, even implementing inexpensive measures, like promptly installing security patches, updating the OS and software of servers or office computers and using passwords that are more sophisticated will reduce risks. Multi-layered defenses which identify fraudulent e-mails to prevent intrusion, separate company networks to limit the scope of any breach, and prevent information leakage through employing better firewalls will further raise the safety level. Utilizing cost-benefit and risk analysis to select measures appropriate for each company is recommended.Safety of IoT is another important issue. There are many systems like sensors that are used for long periods without constant monitoring and yet lack adequate security systems to prevent infiltration. Moreover, last year, the results of an experiment in disabling the brakes of an automobile through remote hacking became news. If remote hacking caused equipment malfunctions, the impact on the public could be tremendous. Business managers need to work closely with security and product/service development managers in companies selling devices and services to understand the safety issues inherent in IoT and consider appropriate countermeasures. They must first assess whether the

devices should be introduced or not based on strict safety assessments. Then, if necessary, security systems need to operate on the premise of anonymous users and long use periods. For instance, if necessary information is embedded in the chip from the beginning, it will be less expensive compared to addressing any problem after it occurs. Please understand that achieving higher levels of security for IoT will lead to stronger competitiveness.

As a guideline for countermeasures, the national government launched the “Cybersecurity Management Guidelines” and “IoT Security Guidelines.”The former, summarizing business manager roles regarding security measures in an easy-to-read manner, has attracted many people’s attention, partly due to the occurrence of large-scale data leak from a corporation last spring, and we feel that it was able to encourage an awareness of the need for security countermeasure promotion among top management. The latter are the first comprehensive guidelines for coping with the entire lifecycle of the product, compiled by METI and the Ministry of Internal Affairs and Communications targeted to a broad range of readers including business managers, product development managers, and users. I

have information that discussions in each industrial field, for example automobiles or medical devices, are taking place based on these guidelines.Recently awareness of security among companies has improved and maintaining access logs, which can be used as evidence in the event of an emergency, is becoming more mainstream. Now, an increasing number of companies are organizing cyber security emergency response teams (CSIRT/CERT). In terms of technology, there are new software packages that produce alerts by detecting any abnormalities in analyzing access logs. On the other hand, hacking techniques also continue to develop. It is highly probable that viruses incorporating AI will be created in the near future. With approximately 53 billion devices being connected to the network by 2020, if no measures are taken while IoT is

developing, the risk will simply continue to increase. Therefore, it is necessary to continue collecting and sharing the latest information and taking measures

to cope with new threats. I hope that the two guidelines motivate people to think about cyber

security and develop discussions further.

This is the first set of security measure guidelines issued by the government targeted to business managers in order to ensure network safety, which is essential for business. The guidelines summarize the risk of cyber-attacks and the necessity of countermeasures, the three principles that business managers should adopt at a minimum, the framework for management and proactive measures, and ten important items to consider when there has been an attack.

Cybersecurity Management Guidelines

This is the set of comprehensive guidelines on IoT security measures. There are some points to keep in mind through the entire IoT device production to end-use cycle including risk analysis and formulation

of security measures, design and production of devices and services and the operation and maintenance thereof,

and precautions when using IoT. The set of guidelines is a summary targeted at a wide audience including business

managers, developers and users.

IoT Security Guidelines

Cyber-crime is becoming more diverse and sophisticated

The commitment of management is key

Utilizing government guidelines in considering security measures

Professor and Director of the Information Secur i ty Laboratory a t Tokyo Denki University. Serves as Cyber Security Advisor to the Cabinet Office. Assumed current post after working in research and development at Hitachi, Ltd. Former Chair of the Japan Society of Security Management.

Mr. Ryoichi Sasaki

CLICK!● Information Security Laboratory,

Department of Information Systems and Multi Media, School of Science and Technology for Future Life, Tokyo Denki University (in Japanese)

I oT

Points that IoT business managers, product developers and users should keep in mind

● Recognize the impact in cases when IoT devices are

damaged by cyber-attacks.● Directly take countermeasures in order to ensure IoT

security, without delegating the responsibility to others.

Business managers at suppliers

● Design security systems on the premise of anonymous

users and long use periods.● Understand that the total cost is lower if sufficient security

measures are taken from the start.

Device/Service Development Managers

● Don’t leave IDs and passwords unchanged from the default

setting.● Power down unused devices and delete all data before

disposing of a machine.

General users

Let’s ask experts about how they formulated the guidelines

● Business managers must recognize cyber security risks and exert leadership in taking security measures.

● Measures must be extended to business partners to ensure coverage.

● Adequate communication including disclosure of information related to responses to be taken must be maintained with relevant parties both during normal operation and in times of emergencies.

Three principles that business managers should adopt

CLICK! CLICK!

We all need to think

about this.



They don’t just

think about their

own company.

Case examples of other companies serve as very useful references when you decide to start taking serious measures.Here we highlight some examples of cyber security measures by pioneering companies.

Fujitsu recently published "Fujitsu Group Information Security Policy" which is an update of existing policy, reflecting the release of the "METI Cybersecurity Management Guideline."In addition, the company newly established CISO (Chief Information Security Officer) position which reports to the Risk Management and Compliance Committee.Fujitsu also reviewed its global information security regime and is making efforts to ensure the implementation of various execution.

CLICK! ● Fujitsu Group Information Security Policy

NEC Group categorizes its outsourcing contractors according to the level of information security measures implemented. It tries to reduce risks by selecting contractors with an adequate level of security. The company also conducts document checks, visits contractors every year for inspections and individually provides feedback on the result to allow contractors to undertake in-house evaluations of their security level. NEC also promotes other multifaceted efforts, including holding information security seminars throughout Japan to explain measures to be taken by NEC Group members.

CLICK! ● NEC Information Security Report 2016

Different companies take different measures.

Hitachi Group prioritizes the “information security human resources.” By establishing an in-house certification system, the company focuses on discovering and developing such human resources. Based on the IT Skills Standard set by METI, the company categorizes human resources into three groups: “advanced security human resources who can respond to unknown attacks,” “security human resources that oversee system development and operations and can respond to familiar attacks” and “security human resources that implement pre-developed security measures.” The education and practical training necessary for each group are implemented.

Developing security human resources through an in-house certification system

Reinforcing security in an integrated manner together with outsourced contractors

Implements realistic scenario training based on actual examples

CLICK! ● Hitachi, Ltd. Information Security Report 2016 (in Japanese)

Hitachi, Ltd.

NEC Corporation

Dai Nippon Printing Co., Ltd.

Taisei Corporation is the first company in the construction industry to launch “T-SIRT,” an in-house Computer Security Incident Response Team (CSIRT), which has gained member status in the Nippon CSIRT Association. The team is in charge of responding to incidents previously covered by the Information Planning Department. At the same time, the company is upgrading its system to respond to emergencies. T-SIRT is a virtual organization within the Information Planning Department, under the direct control of Corporate Planning Office and the members of Taisei Information System Co., Ltd., an information-related group company. It also provides technical support to business partners and specialty construction companies that share data and client information.

CLICK! ● Taisei-SIRT, Taisei Corporation (in Japanese)

Dai Nippon Printing Co., Ltd. handles a vast amount of personal information in its business activities.Based on its know-how cultivated through preventing data breaches and so on, the company develops training schemes for security engineers and provides them to other companies.Their training programs allow the trainees to experience realistic defense training using attack scenarios based on actual cyber attack examples.The training is carried out in four-member teams, and the team leaders can set the roles and responsibilities for the team members and provide instruction on subsequent steps to be taken.This training also allows trainees to develop teamwork and leadership at the same time.

CLICK! ● Dai Nippon Printing Co., Ltd.

Any gas supply interruptions due to problems with the control system could have massive impacts on the public. Tokyo Gas obtained the CSMS* certification for its Hitachi LNG Terminal. In addition to putting efforts into ensuring security at existing terminals, the company is now able to confirm security levels and identify security problems more objectively with this certification. Further, the smooth PDCA (plan-do-check-act) mechanism is reinforced. As a result, the company has effective strategies for maintaining security continuously despite changes in the external environment.

Protecting LNG Terminal by obtaining CSMS certification

Fujitsu swiftly adopted the METI guideline

* Cyber Security Management System: International standards set by the International Electrotechnical Commission (IEC); IEC 62443-2-1

CLICK! ● Case examples of Tokyo Gas Group obtaining CSMS certification (in Japanese)

Tokyo Gas Co., Ltd.

Fujitsu Limited

The Frontline of Cyber Security!Established CSIRT and upgraded emergency response system

Taisei Corporation



—— What is the essential message behind the Cybersecurity Management Guidelines formulated by METI and IPA?The guidelines were compiled with the hope that companies would come to regard cyber security as a matter of business strategy and that business managers would take direct control in advancing measures, for instance, thinking about the level of investment in countermeasures and methods of demonstrating their superiority in this regard. Making these types of decisions definitely requires good business judgment. Cyber security measures are an integral part of a company’s risk management.—— We hear that you are at work on revising guidelines geared to small and medium-sized enterprises.According to the survey conducted by IPA, the smaller an enterprise, the more likely it is to have holes in its cyber security measures. For example, while more than half of small enterprises permit the use of private work terminals for employees, the ratio of setting passwords for those terminals is lower than average.

The guideline, which is the first revision since the formulation of the Guidelines in 2009, is going to cover the development of mobile and cloud services and legislative changes including the implementation of the Individual Number System. Further, various tools for cyber security measures are going to be provided in the appendices, including self-diagnosis sheets for companies, asset management ledgers for the construction and operation of management cycles and lists of countermeasures categorized by type of threat.—— IoT products are becoming widespread in many areas. What is necessary to guarantee their safety?The key will be to cover the maximal risk factors of the product or system from the outset of development. Based on this premise, it is important to incorporate an advance mechanism for maintaining safety. However, in reality, it is difficult for many engineers to envision all potential risks outside their areas of expertise, so developing engineers with a broad range of expertise is our priority.—— What kind of activities will IPA implement in order to strengthen society-wide cyber security measures?

While the Cybersecurity Management Guidelines have been discussed since their launch, we are also hearing that the guideline doesn’t provide concrete images of the measures to be taken. In the future, we would like to encourage communication between top and middle management and other employees by preparing practical guides explaining the process of implementing each priority issue, for instance.

—— It is said that cyber-attacks are becoming increasingly sophisticated and complex. What is your view on the reality of the situation? About 10 years ago, it was first said that attackers were becoming organized. And it was about 5 years ago that the impact of attacks to the society became evident. During these years, attack techniques have actually become more sophisticated. However, we should also note the fact that our society is becoming rapidly and increasingly reliant on IT. The reality is that targets of attacks and its techniques are expanding as IT becomes the foundations of social and corporate activities.—— What are the key points when taking actual countermeasures?First, make sure to apply security updates to OS and other software and install security software. It is important to know that a large amount of attacks can be prevented through these basic countermeasures.In reality, we see systems being operated without being updated, or people opening attachments of suspicious e-mails. There are so many cases where such flaws are leveraged.—— What is your advice on the approach or mindset in implementing security measures?The important point is to recognize incidents you see on day-to-day news as “your own issue”. If a company is attacked and the damage extends to its business partners and customers, public trust and reputation will decrease significantly. However, it is not easy for a company that has never been attacked to imagine an enormous damage in reality. In this sense, we also believe it is important to create a society where people who recognize incidents as their own issue and take appropriate countermeasures are recognized.

—— Lastly, what is your advice to companies and individuals who will start implementing security measures?The bottom line is “people” – those who set up attacks and those who receive them are all people. It is important to keep this in mind when considering security measures. What can be done to help users detect that something is going wrong as soon as possible? What is necessary to be able to identify attacks quickly? Such perspectives are essential when adopting security devices and software, etc.Consequently, readiness is important when you talk about corporate security. It is effective to prepare plans and manuals in case an incident occurs. Speed is a critical factor in responding to cyber-attacks where damage spreads instantly.

CLICK! ● Information-technology Promotion Agency

[IPA] IPA is a policy implementation institution with a role in securing IT measures for the realization of a “reliable IT society” by ensuring the safety/reliability of public information systems that are becoming increasingly complex and expansive. Its mission statement lists “IT Security,” “Improving Reliability of Information Processing Systems,” and “IT Human Resources Development.” It also issues publications, for example, the Information Security White Paper 2016.

CLICK! ● JPCERT Coordination Center

[JPCERT/CC] JPCERT/CC provides assistance against intrusions, denial of services and others conducted through the Internet by collecting and sharing information, supporting incident response, examining and advising measures for preventing recurrence, etc., from a technical perspective. It is a non-governmental, not-for-profit, independent organization that actively engages in improving information security measures in Japan.

The important point is to recognize incidents as “my own issue” and never forget implementing basic countermeasures

[JPCERT/CC (Japan Computer Emergency Response Team Coordination Center)][IPA (Information-technology Promotion Agency)]

Cyber security is a business challenge regardless of the size of the company!

Is internal communication proving effective?

Information security measures in small and medium enterprises

Total (n=1,056)

Small enterprises (n=300)

Small and medium enterprises with less than 100 employees (n=473)

Small and medium enterprises with 100 employees or more (n=283)

Allow use of private mobile devices for work

Currently considering

Not considering it yet

Have no plan to allow it

Ratio of companies with private, employee smartphones and tablets used for work

38.9 13.2 15.2 32.7

50.3 7.7 18.3 23.7

38.9 16.3 14.2 30.7

26.9 13.8 13.8 45.60 100％

More than 50% allow it

Total (n=1, 758)

Small enterprises (n=501)

Small and medium enterprises with less than 100 employees (n=707)

Small and medium enterprises with 100 employees or more (n=550)

Ratio of companies in which adequate password protection is employed with adequate passwords

66.2

56.7

67.9

72.50 100％

Ratio of setting passwords lower than average

Report on the Fact-Finding Survey on Information Security Measures Taken by Small and Medium Enterprises 2015 (IPA)

Various incidents are observed. “Scan” refers to incidents that search for vulnerabilities in systems. Website defacements and phishing sites follow which account for a large percentage.

Phishing site: 14.0%

Others: 8.7%

DoS/DDoS: 1.2%

ICS related: 0.2%

Targeted attack: 0.9%

Malware site: 3.3%

Scan: 49%

Website defacement: 21.9%

Category of incidents reported to JPCERT/CC (from April 2015 to March 2016)

The bottom line is “people” — users and attackers are all people!

What we can learn from those with an abundance of first-hand security experienceWe asked the two largest specialized institutions in Japan, who respond to incidents including computer viruses and unauthorized accesses on a daily basis, for the “must-know” information on cyber security measures.



For example, an electric power company in Ukraine was cyber-attacked and a major power outage occurred in 2015. If such an attack took place in Japan, serious disruption to the public and economic damage would be inevitable, even to the point of endangering people’s lives. Therefore, reinforcing cyber security is indispensable in terms of national security, too.For instance, in the U.S. or Israel, with an ample military budget, human resources have been trained in response to the needs of military and information agencies. However, the situation is different here in Japan. It is important for the national government and companies who are in charge of the stable operation of infrastructure to cooperate and construct a public system which secures the necessary investment. Therefore, it is desirable to promote a cycle wherein both public and private sectors share the awareness of security, establish a mechanism wherein they promote security measures by formulating guidelines

and creating a kind of cyber risk insurance, and develop human resources who will continuously implement actual measures.

It is important for the government and private sector to cooperate!

Protect critical infrastructure from cyber-attacks with the cooperation of government and the private sector!

Should the infrastructure supporting society be successfully cyber-attacked, the damage to society could be serious.How can we cope with this threat, which is increasing every year? Here we will introduce some of the latest joint

efforts by national governments and companies.

Sharing common understanding between the public and private sectors

System to ensure implementation of appropriate countermeasures

Building a platform for fostering core human resources capable of implementing countermeasures

1 2Risk analysis and determination of defense capability, seminars for CEOs, etc.

Management guidelines,control system guidelines,cyber risk insurance, etc.

3 Cooperation with overseas institutions, for example in the U.S.

Cycle for the promotion of cyber security countermeasures

Cyber exercises using simulated plants

Training on reliability examinations and countermeasures development using a simulated plant Reliability examinations and

countermeasure development of actual control systems In order to protect infrastructure and industrial bases from cyber-attacks,

it is necessary to conduct practical training, so that a simulated plant is constructed, equipped with full systems, from information-related systems to actual-control systems. Practical skills will be fostered here with experts, including in-house hackers and researchers, through training programs including exercises in quickly restoring systems after cyber-attacks or verifying safety and reliability. The center will also

actively cooperate with overseas organizations in order to obtain the latest information, conduct joint exercises with the relevant ministries and U.S. agencies, and exchange with Israeli companies and ministries/agencies.

A team consisting of vendor companies, user companies, and experts conduct surveys on the cyber safety and reliability of control systems and IoT devices which companies are planning to introduce in response to requests.

[Industrial Cyber Security Promotion Center (Tentative name)]The Industrial Cyber Security Promotion Center (Tentative name) is a public- and private-sector cooperative base for the development of human resources

who can act as the core of cyber security countermeasures at companies. In the Center, the program will conduct simulation exercises using simulated plants.

Roles of Industrial Cyber Security Promotion Center (Tentative name), fostering core human resources for the implementation of cyber-security

Establishment of the “Industrial Cyber Security Promotion Center (tentative name),” which serves as a center for human resource development and countermeasures planning

Collection and study of attack-related information

Countermeasures are improved based on the insights provided by researchers in a wide range of fields including networks, control systems, and criminal psychology, and by collecting, analyzing, and studying new attack methods.

12 METI Journal

are you working on them? cyber security measures · 2018-11-21 · re you working on them? yber...

Documents